[Webkit-unassigned] [Bug 181934] New: WebKitGTK/JavaScriptCore segfault with CrashOnOverflow

bugzilla-daemon at webkit.org bugzilla-daemon at webkit.org
Mon Jan 22 07:55:24 PST 2018 

https://bugs.webkit.org/show_bug.cgi?id=181934

            Bug ID: 181934
           Summary: WebKitGTK/JavaScriptCore segfault with CrashOnOverflow
           Product: WebKit
           Version: WebKit Local Build
          Hardware: Unspecified
                OS: Unspecified
            Status: NEW
          Severity: Normal
          Priority: P2
         Component: JavaScriptCore
          Assignee: webkit-unassigned at lists.webkit.org
          Reporter: sevendays37 at gmail.com

Crashes on the latest version of WebKitGTK/JavaScriptCore (both on debug/release build).

Here is the input code.

function foo(v1, v2)
{
  throw JSON.stringify(v1) + JSON.stringify(v2);
}

function func_0() {
  try {
    foo(func_0(func_0), 1);
  } catch (func_0) {
    return func_0;
  }
}

func_0();

It seems that this code causes integer overflow at StringBuilderJSON.cpp:85
85     maximumCapacityRequired += 2 + stringLength * 6;


(gdb) r
Starting program: /data/WebKit/WebKitBuild/Debug/bin/jsc test.js
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
[New Thread 0x7ffff0cef700 (LWP 15461)]
[New Thread 0x7fffaf6ff700 (LWP 15462)]
[New Thread 0x7fffaeefe700 (LWP 15463)]
[New Thread 0x7fffad9ff700 (LWP 15464)]
[New Thread 0x7fffad1fe700 (LWP 15465)]
[New Thread 0x7fffac9fd700 (LWP 15466)]
[New Thread 0x7fffa7fff700 (LWP 15467)]
[New Thread 0x7fffa77fe700 (LWP 15468)]
[New Thread 0x7fffa6ffd700 (LWP 15469)]
[New Thread 0x7fffa67fc700 (LWP 15470)]
1   0x7ffff6d6a123 WTFCrash
2   0x46764e WTF::CrashOnOverflow::hasOverflowed() const
3   0x467645 WTF::CrashOnOverflow::crash()
4   0x7ffff5f5ba90 JSC::CompleteSubspace* JSC::JSCell::subspaceFor<JSC::JSSet>(JSC::VM&)
5   0x7ffff6dc29fc
6   0x7ffff6dc250f
7   0x7ffff6dc21d5 WTF::StringBuilder::appendQuotedJSONString(WTF::String const&)
8   0x7ffff6a3e4b8 JSC::Stringifier::appendStringifiedValue(WTF::StringBuilder&, JSC::JSValue, JSC::Stringifier::Holder const&, JSC::PropertyNameForFunctionCall const&)
9   0x7ffff6a3ddf9 JSC::Stringifier::stringify(JSC::JSValue)
10  0x7ffff6a40c1e JSC::JSONProtoFuncStringify(JSC::ExecState*)
11  0x7fffb02ff178

Thread 1 "jsc" received signal SIGSEGV, Segmentation fault.
0x00007ffff6d6a128 in WTFCrash () at ../../Source/WTF/wtf/Assertions.cpp:272
272         *(int *)(uintptr_t)0xbbadbeef = 0;
(gdb) bt
#0  0x00007ffff6d6a128 in WTFCrash () at ../../Source/WTF/wtf/Assertions.cpp:272
#1  0x000000000046764e in WTF::CrashOnOverflow::crash () at ../../Source/WTF/wtf/CheckedArithmetic.h:85
#2  0x0000000000467645 in WTF::CrashOnOverflow::overflowed () at ../../Source/WTF/wtf/CheckedArithmetic.h:78
#3  0x00007ffff5f5ba90 in WTF::Checked<unsigned int, WTF::CrashOnOverflow>::Checked (this=0x7fffffc1e310)
    at ../../Source/WTF/wtf/CheckedArithmetic.h:462
#4  0x00007ffff6dc29fc in WTF::operator*<unsigned int, int, WTF::CrashOnOverflow> (lhs=..., rhs=...)
    at ../../Source/WTF/wtf/CheckedArithmetic.h:745
#5  0x00007ffff6dc250f in WTF::operator*<unsigned int, int, WTF::CrashOnOverflow> (lhs=..., rhs=6)
    at ../../Source/WTF/wtf/CheckedArithmetic.h:761
#6  0x00007ffff6dc21d5 in WTF::StringBuilder::appendQuotedJSONString (this=0x7fffffc1e5b0, string=...)
    at ../../Source/WTF/wtf/text/StringBuilderJSON.cpp:85
#7  0x00007ffff6a3e4b8 in JSC::Stringifier::appendStringifiedValue (this=0x7fffffc1e6c0, builder=..., value=..., 
    holder=..., propertyName=...) at ../../Source/JavaScriptCore/runtime/JSONObject.cpp:360
#8  0x00007ffff6a3ddf9 in JSC::Stringifier::stringify (this=0x7fffffc1e6c0, value=...)
    at ../../Source/JavaScriptCore/runtime/JSONObject.cpp:275
#9  0x00007ffff6a40c1e in JSC::JSONProtoFuncStringify (exec=0x7fffffc1e9f0)
    at ../../Source/JavaScriptCore/runtime/JSONObject.cpp:841
#10 0x00007fffb02ff178 in ?? ()
#11 0x00007fffffc1ea70 in ?? ()
#12 0x00007ffff67b5a47 in llint_entry () at ../../Source/JavaScriptCore/runtime/Butterfly.h:52
Backtrace stopped: frame did not save the PC

-- 
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20180122/f603bbd1/attachment-0001.html>

More information about the webkit-unassigned mailing list